From eee28d3e9a160e7325581c2ccc3c7297b88e4cae Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Fri, 8 May 2026 07:23:09 +0200
Subject: [PATCH] phantom-ship + vps-relay: declare notes service + vhosts
 (port 8092)

notes serves both notes.dannydannydanny.me (blog) and
dannydannydanny.me (apex landing) from the same FastAPI process,
switching on Host header. Source rsync'd from ~/python-projects/26_notes/
to /home/danny/notes/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 nixos/hosts/phantom-ship.nix | 38 +++++++++++++++++++++++++++++++-----
 nixos/hosts/vps-relay.nix    |  8 ++++++++
 2 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix
index 90df6de..b6b269f 100644
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@@ -49,11 +49,12 @@ in
   networking.firewall.trustedInterfaces = [ "enp0s31f6" ];
 
   # KomTolk (:8080), Shelfish (:8081), Scuttle (:8082), Bananasimulator
-  # (:8083), Forgejo (:3000), Escape Hormuz (:8090), bon (:8091) are
-  # reachable only over the ZeroTier mesh — the vps-relay Caddy
-  # reverse-proxies into them. Same pattern as sunken-ship's bbbot. Not
-  # in global allowedTCPPorts, so the WAN side stays closed.
-  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 3000 8080 8081 8082 8083 8090 8091 ];
+  # (:8083), Forgejo (:3000), Escape Hormuz (:8090), bon (:8091),
+  # notes (:8092) are reachable only over the ZeroTier mesh — the
+  # vps-relay Caddy reverse-proxies into them. Same pattern as
+  # sunken-ship's bbbot. Not in global allowedTCPPorts, so the WAN side
+  # stays closed.
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 3000 8080 8081 8082 8083 8090 8091 8092 ];
 
   hardware.enableRedistributableFirmware = true;  # iwlwifi (Intel 8260) + GPU + BT firmware
 
@@ -475,6 +476,33 @@ in
     };
   };
 
+  # notes — tiny markdown blog + apex landing page.
+  # One service serves two hostnames via Host-header switch:
+  #   notes.dannydannydanny.me  → blog
+  #   dannydannydanny.me        → landing
+  # Code rsync'd from ~/python-projects/26_notes/ to /home/danny/notes/
+  systemd.services.notes = let
+    pythonEnv = pkgs.python3.withPackages (ps: with ps; [
+      fastapi
+      uvicorn
+      markdown
+      jinja2
+    ]);
+  in {
+    description = "notes — markdown blog + landing page";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pythonEnv ];
+    serviceConfig = {
+      WorkingDirectory = "/home/danny/notes";
+      ExecStart = "${pythonEnv}/bin/python -m uvicorn server:app --host :: --port 8092";
+      Restart = "on-failure";
+      RestartSec = 10;
+      User = "danny";
+    };
+  };
+
   # Hara morning heartbeat — daily email check + Telegram good-morning ping.
   # Runs claude in print mode with the Gmail MCP, then sends output via Bot API.
   # Token lives in ~/.claude/channels/telegram/.env (managed by the telegram plugin).
diff --git a/nixos/hosts/vps-relay.nix b/nixos/hosts/vps-relay.nix
index 3d34a1a..306c127 100644
--- a/nixos/hosts/vps-relay.nix
+++ b/nixos/hosts/vps-relay.nix
@@ -132,6 +132,14 @@
       "bon.dannydannydanny.me".extraConfig = ''
         reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8091
       '';
+      # notes — markdown blog (notes.X) + apex landing (X). Same backend
+      # service on phantom :8092 routes by Host header.
+      "notes.dannydannydanny.me".extraConfig = ''
+        reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8092
+      '';
+      "dannydannydanny.me".extraConfig = ''
+        reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8092
+      '';
     };
   };